For everything from scheduling backups to comparing security logs after a break-in, network administrators depend on the good time-keeping an NTP server can provide.

Good time keeping is not an obvious priority for network administrators, but the more you think about it the
clearer it is that accurate clocks have a crucial role to play on any network. Let the clocks on your networked
devices get out of sync and you could end up losing valuable corporate data.

Here are just a few things that rely on hardware clocks which are accurately set and in sync with each other:

Scheduled data backups

Successful backups are vital to any organization. Systems
that are too far out of sync may fail to back up correctly, or even at all.

Network accelerators

These and other devices that use caching and wide area file systems
may rely heavily on file time stamps to work out which version of a piece of data is the most current. Bad time
syncing could cause these systems to work incorrectly and use the wrong versions of data.

Network management systems

When things go wrong, examining system logs is a key part of
fault diagnosis. But if the timing in these logs is out of sync it can take much longer than necessary to figure out
what went wrong and to get systems up and running again

Intrusion analysis

In the event of a network intrusion, working out how your network was
compromised and what data was accessed may only be possible if you have accurately time-stamped router and server
logs. Hackers will often delete logs if they can, but if they don't the job will be far harder, giving hackers more
time to exploit your network, if the time data is inaccurate.

Compliance regulations

Sarbanes Oxley, HIPAA, GLBA and other regulations do or may in
the future require accurate time stamping of some categories of transactions and data.

Trading systems

Companies in some sectors may make thousands of electronic trades per
second. In this sort of environment system clocks need to be very accurate indeed.

Many companies set and synchronize their devices using Network Time Protocol (NTP), with NTP clients or
daemons connecting to time servers on the network known as stratum-2 devices. To ensure these stratum-2 time servers
are accurate, they are synced over the Internet through port 123 with a stratum-1 device . This public time server is
connected directly (i.e. not over a network) to one or more stratum-0 devices– extremely accurate reference
clocks.

Unfortunately, there are a number of potential problems with this approach. The most basic one is that the time
that a stratum-2 server on a corporate network receives over the Internet from a stratum-1 server is not very precise.
That's because the time data has to travel over the Internet - from the time server to the corporate time source - in
an unpredictable way, and at an unpredictable speed. This means it always has a varying, and unknown, error factor.
Although all the devices on a local area network that update themselves from the same corporate stratum-2 time server
may be reasonably well synchronized (to within anything from 1 to about 100 milliseconds), keeping the time
synchronized between stratum-2 devices on different local area networks to a reasonable degree of accuracy can be
difficult.

Security Risks with NTP Servers

There are also security risks involved in using public stratum-1 NTP servers, most notably:

NTP clients and daemons are in themselves a potential security risk. Vulnerabilities in this type of software could
be (and have in the past been) exploited by hackers sending appropriately crafted packets through the corporate
firewall on port 123.

Organizations that use public NTP servers are susceptible to denial of service attacks by a hacker sending spoofed
NTP data, making time syncing impossible during the attack. For companies involved in activities such as financial
tradingwhich requires very precise timing informationthis could be very damaging.

One way to both avoid these potential security issues and to get more accurate time data is simply to run one or
more stratum-1 servers inside your network, behind your corporate firewall.

Running Your Own Stratum-1 Servers

Stratum-1 time servers are available in a single 1U rack-mountable form factor that can easily be installed in your
server room or data center and connected to your network, and most have a way of connecting to a stratum-0 reference
clock built in. The most commonly used ways to connect to a stratum-0 device are by terrestrial radio or GPS signals.

Terrestrial radio based connections use radio signals such as WWVB out of Fort Collins, Colorado, MSF from Anthorn,
UK, or DCF77 from Frankfurt, Germany. This is similar to the way consumer devices such as watches and alarm clocks
update themselves with signals from reference clocks to keep accurate time.

Statum-1 time servers that sync with GPS satellite signals are more accurate, but are less convenient to install as
they need to be connected to an antenna fitted in a suitable position on the roof of the building. Using time data
from a number of satellites, and by calculating the distance of each satellite from the antenna, a stratum-1 time
server that uses GPS reference clock signals is able to get the precise time to within 50 or so nanoseconds. More
importantly, two or more of these servers at separate locations and running on separate local area networks can also
remain in sync with each other to a similar degree of accuracy. Companies that supply this type of equipment include
Symmetricom, Spectracom, EndRun Technologies and Time
Tools.

To provide redundancy, some larger organizations install multiple GPS-based time servers at each location. An
alternative is to have a radio-based time server as a back up to a GPS-based one in case the GPS server itself fails
or, more likely, the GPS antenna is damaged, perhaps during bad weather. Given that most radio and GPS based time
servers cost between $1,000 and $5,000, purchasing two or more time servers is not a major investment for a medium or
large organization. Smaller companies, including those at isolated sites which are not connected to the Internet, can
also use a low cost stratum-1 GPS PCI card (connected to an appropriate antenna) to enable a standard PC to act as a time server for the local
area network, using the satellites as an external time source.

In the concluding piece in this series we'll take a look at how to implement a GPS-based time server in your data
center.

prubens@jupitermedia.com

Please enable Javascript in your browser, before you post the comment! Now Javascript is disabled.